chore(release 2.8.x) cherry pick changes for 2.8.x

CHANGELOG.md

@@ -64,14 +64,22 @@
 
 ## [2.8.0] (UNRELEASED)
 
+### Deprecations
+
+- The external [go-pluginserver](https://github.com/Kong/go-pluginserver) project
+is considered deprecated in favor of the embedded server approach described in
+the [docs](https://docs.konghq.com/gateway/2.7.x/reference/external-plugins/).
+
 ### Dependencies
 
 - OpenSSL bumped to 1.1.1m
   [#8191](https://github.com/Kong/kong/pull/8191)
 - Bumped resty.session from 3.8 to 3.10
   [#8294](https://github.com/Kong/kong/pull/8294)
-- Bump lua-resty-openssl to 0.8.5
+- Bumped lua-resty-openssl to 0.8.5
   [#8368](https://github.com/Kong/kong/pull/8368)
+- Bumped pgmoon from 1.13.0 to 1.14.0
+  [#8429](https://github.com/Kong/kong/pull/8429)
 
 ### Additions
 
@@ -83,35 +91,55 @@
 - Routes now support matching headers with regular expressions
   Thanks, [@vanhtuan0409](https://github.com/vanhtuan0409)!
   [#6079](https://github.com/Kong/kong/pull/6079)
-- Targets keep their health status when upstreams are updated.
-  [#8394](https://github.com/Kong/kong/pull/8394)
+
+#### Beta
+
+- Secrets Management and Vault support as been introduced as a Beta feature.
+  This means it is intended for testing in staging environments. It not intended
+  for use in Production environments.
+  You can read more about Secrets Management in
+  [our docs page](https://docs.konghq.com/gateway/latest/plan-and-deploy/security/secrets-management/backends-overview).
+  [#8403](https://github.com/Kong/kong/pull/8403)
 
 #### Performance
 
 - Improved the calculation of declarative configuration hash for big configurations
   The new method is faster and uses less memory
   [#8204](https://github.com/Kong/kong/pull/8204)
-- Several improvements in the Router decreased routing time and rebuild time. This should be
-  particularly noticeable when rebuilding on db-less environments
+- Multiple improvements in the Router. Amongst others:
+  - The router builds twice as faster
+  - Failures are cached and discarded faster (negative caching)
+  - Routes with header matching are cached
+  These changes should be particularly noticeable when rebuilding on db-less environments
   [#8087](https://github.com/Kong/kong/pull/8087)
   [#8010](https://github.com/Kong/kong/pull/8010)
 
 #### Plugins
 
 - **Response-ratelimiting**: Redis ACL support,
   and genenarized Redis connection support for usernames.
-  Thanks, [@27ascii](https://github.com/27ascii) for the origina contribution!
+  Thanks, [@27ascii](https://github.com/27ascii) for the original contribution!
   [#8213](https://github.com/Kong/kong/pull/8213)
 - **ACME**: Add rsa_key_size config option
   Thanks, [lodrantl](https://github.com/lodrantl)!
   [#8114](https://github.com/Kong/kong/pull/8114)
+- **Prometheus**: Added gauges to track `ngx.timer.running_count()` and
+  `ngx.timer.pending_count()`
+  [#8387](https://github.com/Kong/kong/pull/8387)
 
 #### Clustering
 
 - `CLUSTERING_MAX_PAYLOAD` is now configurable in kong.conf
   Thanks, [@andrewgknew](https://github.com/andrewgknew)!
   [#8337](https://github.com/Kong/kong/pull/8337)
 
+#### Admin API
+
+- The current declarative configuration hash is now returned by the `status`
+  endpoint when Kong node is running in dbless or data-plane mode.
+  [#8214](https://github.com/Kong/kong/pull/8214)
+  [#8425](https://github.com/Kong/kong/pull/8425)
+
 ### Fixes
 
 #### Core
@@ -132,6 +160,14 @@
   Thanks, [@mpenick](https://github.com/mpenick)!
   [#8226](https://github.com/Kong/kong/pull/8226)
 
+#### Balancer
+
+- Targets keep their health status when upstreams are updated.
+  [#8394](https://github.com/Kong/kong/pull/8394)
+- One debug message which was erroneously using the `error` log level
+  has been downgraded to the appropiate `debug` log level.
+  [#8410](https://github.com/Kong/kong/pull/8410)
+
 #### Clustering
 
 - Replaced cryptic error message with more useful one when
@@ -147,6 +183,10 @@
 
 - Phase names are correctly selected when performing phase checks
   [#8208](https://github.com/Kong/kong/pull/8208)
+- Fixed a bug in the go-PDK where if `kong.request.getrawbody` was
+  big enough to be buffered into a temporary file, it would return an
+  an empty string.
+  [#8390](https://github.com/Kong/kong/pull/8390)
 
 #### Plugins
 
@@ -156,9 +196,24 @@
 - **External Plugins**: Unwrap `ConsumerSpec` and `AuthenticateArgs`.
   Thanks, [@raptium](https://github.com/raptium)!
   [#8280](https://github.com/Kong/kong/pull/8280)
+- **External Plugins**: Fixed a problem in the stream subsystem would attempt to load
+  HTTP headers.
+  [#8414](https://github.com/Kong/kong/pull/8414)
+- **CORS**: The CORS plugin does not send the `Vary: Origin` header any more when
+  the header `Access-Control-Allow-Origin` is set to `*`.
+  Thanks, [@jkla-dr](https://github.com/jkla-dr)!
+  [#8401](https://github.com/Kong/kong/pull/8401)
 - **AWS-Lambda**: Fixed incorrect behavior when configured to use an http proxy
-    and deprecated the `proxy_scheme` config attribute for removal in 3.0
-    [#8406](https://github.com/Kong/kong/pull/8406)
+  and deprecated the `proxy_scheme` config attribute for removal in 3.0
+  [#8406](https://github.com/Kong/kong/pull/8406)
+- **oauth2**: The plugin clears the `X-Authenticated-UserId` and
+  `X-Authenticated-Scope` headers when it configured in logical OR and
+  is used in conjunction with another authentication plugin.
+  [#8422](https://github.com/Kong/kong/pull/8422)
+- **Datadog**: The plugin schema now lists the default values
+  for configuration options in a single place instead of in two
+  separate places.
+  [#8315](https://github.com/Kong/kong/pull/8315)
 
 
 ## [2.7.1]

autodoc/admin-api/data/admin-api.lua

@@ -31,6 +31,7 @@ return {
       "snis",
       "upstreams",
       "targets",
+      "vaults_beta",
     },
     nodoc_entities = {
     },
@@ -1606,8 +1607,7 @@ return {
         service. Every upstream can have many targets, and the targets can be
         dynamically added, modified, or deleted. Changes take effect on the fly.
 
-        Because the upstream maintains a history of target changes, the targets cannot
-        be deleted or modified. To disable a target, post a new one with `weight=0`;
+        To disable a target, post a new one with `weight=0`;
         alternatively, use the `DELETE` convenience method to accomplish the same.
 
         The current target object definition is the one with the latest `created_at`.
@@ -1885,7 +1885,66 @@ return {
           },
         },
       },
-    }
+    },
+
+    vaults_beta = {
+      title = "Vaults Beta Entity",
+      entity_title = "Vault",
+      entity_title_plural = "Vaults",
+      description = [[
+        Vault entities are used to configure different Vault connectors. Examples of
+        Vaults are Environment Variables, Hashicorp Vault and AWS Secrets Manager.
+
+        Configuring a Vault allows referencing the secrets with other entities. For
+        example a certificate entity can store a reference to a certificate and key,
+        stored in a vault, instead of storing the certificate and key within the
+        entity. This allows a proper separation of secrets and configuration and
+        prevents secret sprawl.
+      ]],
+
+      fields = {
+        id = { skip = true },
+        created_at = { skip = true },
+        updated_at = { skip = true },
+        name = {
+          description = [[
+            The name of the Vault that's going to be added. Currently, the Vault implementation
+            must be installed in every Kong instance.
+          ]],
+          example = "env",
+        },
+        prefix = {
+          description = [[
+            The unique prefix (or identifier) for this Vault configuration. The prefix
+            is used to load the right Vault configuration and implementation when referencing
+            secrets with the other entities.
+          ]],
+          example = "env",
+        },
+        description = {
+          description = [[
+            The description of the Vault entity.
+          ]],
+          example = "This vault is used to retrieve redis database access credentials",
+        },
+        config = {
+          description = [[
+            The configuration properties for the Vault which can be found on
+            the vaults' documentation page.
+          ]],
+          example = { prefix = "SSL_" },
+        },
+        tags = {
+          description = [[
+            An optional set of strings associated with the Vault for grouping and filtering.
+          ]],
+          examples = {
+            { "database-credentials", "data-plane" },
+            { "certificates", "critical" },
+          },
+        },
+      },
+    },
   },
 
 --------------------------------------------------------------------------------

autodoc/admin-api/generate.lua

@@ -93,12 +93,14 @@ _KONG = require("kong.meta")          -- luacheck: ignore
 kong = require("kong.global").new()   -- luacheck: ignore
 kong.configuration = {                -- luacheck: ignore
   loaded_plugins = {},
+  loaded_vaults = {},
 }
 kong.db = require("kong.db").new({    -- luacheck: ignore
   database = "postgres",
 })
 kong.configuration = { -- luacheck: ignore
-  loaded_plugins = {}
+  loaded_plugins = {},
+  loaded_vaults = {},
 }
 
 --------------------------------------------------------------------------------
@@ -196,6 +198,9 @@ do
     "0c61e164-6171-4837-8836-8f5298726d53",
     "5027BBC1-508C-41F8-87F2-AB1801E9D5C3",
     "68FDB05B-7B08-47E9-9727-AF7F897CFF1A",
+    "B2A30E8F-C542-49CF-8015-FB674987D1A5",
+    "518BBE43-2454-4559-99B0-8E7D1CD3E8C8",
+    "7C4747E9-E831-4ED8-9377-83A6F8A37603",
   }
 
   local ctr = 0
@@ -542,7 +547,7 @@ local function write_endpoint(outfd, endpoint, ep_data, dbless_methods)
              or not dbless_methods[endpoint][method])
       then
         write_title(outfd, 3, meth_data.title)
-        warning_message(outfd, "**Note**: Not available in DB-less mode.")
+        warning_message(outfd, "**Note**: This API is not available in DB-less mode.")
       else
         write_title(outfd, 3, meth_data.title, "{:.badge .dbless}")
       end

autodoc/admin-api/openapi-gen.lua

@@ -33,12 +33,14 @@ _KONG = require("kong.meta")          -- luacheck: ignore
 kong = require("kong.global").new()   -- luacheck: ignore
 kong.configuration = {                -- luacheck: ignore
   loaded_plugins = {},
+  loaded_vaults = {},
 }
 kong.db = require("kong.db").new({    -- luacheck: ignore
   database = "postgres",
 })
 kong.configuration = { -- luacheck: ignore
-  loaded_plugins = {}
+  loaded_plugins = {},
+  loaded_vaults = {},
 }
 
 

kong-2.7.0-0.rockspec

@@ -23,7 +23,7 @@ dependencies = {
   "version == 1.0.1",
   "kong-lapis == 1.8.3.1",
   "lua-cassandra == 1.5.1",
-  "pgmoon == 1.13.0",
+  "pgmoon == 1.14.0",
   "luatz == 0.4",
   "lua_system_constants == 0.1.4",
   "lyaml == 6.2.7",

kong/clustering/control_plane.lua

@@ -54,6 +54,7 @@ local PING_INTERVAL = constants.CLUSTERING_PING_INTERVAL
 local PING_WAIT = PING_INTERVAL * 1.5
 local OCSP_TIMEOUT = constants.CLUSTERING_OCSP_TIMEOUT
 local CLUSTERING_SYNC_STATUS = constants.CLUSTERING_SYNC_STATUS
+local DECLARATIVE_EMPTY_CONFIG_HASH = constants.DECLARATIVE_EMPTY_CONFIG_HASH
 local PONG_TYPE = "PONG"
 local RECONFIGURE_TYPE = "RECONFIGURE"
 local MAJOR_MINOR_PATTERN = "^(%d+)%.(%d+)%.%d+"
@@ -598,7 +599,7 @@ function _M:handle_cp_websocket()
   end
 
   local dp_plugins_map = plugins_list_to_map(data.plugins)
-  local config_hash = string.rep("0", 32) -- initial hash
+  local config_hash = DECLARATIVE_EMPTY_CONFIG_HASH -- initial hash
   local last_seen = ngx_time()
   local sync_status = CLUSTERING_SYNC_STATUS.UNKNOWN
   local purge_delay = self.conf.cluster_data_plane_purge_delay

kong/clustering/data_plane.lua

@@ -43,6 +43,7 @@ local WS_OPTS = {
 local PING_INTERVAL = constants.CLUSTERING_PING_INTERVAL
 local PING_WAIT = PING_INTERVAL * 1.5
 local _log_prefix = "[clustering] "
+local DECLARATIVE_EMPTY_CONFIG_HASH = constants.DECLARATIVE_EMPTY_CONFIG_HASH
 
 
 local function is_timeout(err)
@@ -187,7 +188,7 @@ local function send_ping(c, log_suffix)
   local hash = declarative.get_current_hash()
 
   if hash == true then
-    hash = string.rep("0", 32)
+    hash = DECLARATIVE_EMPTY_CONFIG_HASH
   end
 
   local _, err = c:send_ping(hash)

kong/cmd/vault.lua

@@ -38,8 +38,6 @@ local function init_db(args)
   assert(db.vaults_beta:load_vault_schemas(conf.loaded_vaults))
 
   _G.kong.db = db
-
-  return db
 end
 
 
@@ -51,7 +49,7 @@ local function get(args)
       return error("the 'get' command needs a <reference> argument \nkong vault get <reference>")
     end
 
-    local db = init_db(args)
+    init_db(args)
 
     if not vault.is_reference(reference) then
       -- assuming short form: <name>/<resource>[/<key>]
@@ -63,21 +61,7 @@ local function get(args)
       return error(err)
     end
 
-    local name = opts.name
-    local res
-
-    local vaults = db.vaults_beta
-    if vaults.strategies[name] then
-      res, err = vault.get(reference)
-
-    elseif vaults:select_by_prefix(name) then
-      ngx.IS_CLI = false
-      res, err = vault.get(reference)
-      ngx.IS_CLI = true
-    else
-      error(fmt("vault '%s' was not found", name, name, args[1]))
-    end
-
+    local res, err = vault.get(reference)
     if err then
       return error(err)
     end

kong/constants.lua

@@ -187,6 +187,7 @@ local constants = {
   DECLARATIVE_PAGE_KEY = "declarative:page",
   DECLARATIVE_LOAD_KEY = "declarative_config:loaded",
   DECLARATIVE_HASH_KEY = "declarative_config:hash",
+  DECLARATIVE_EMPTY_CONFIG_HASH = string.rep("0", 32),
 
   CLUSTER_ID_PARAM_KEY = "cluster_id",